Network and certificates
A consolidated reference for whoever manages firewalls, certificates, and network access for the server RLV Scribe runs on - pulling together what’s covered step by step in Installing RLV Scribe and Licensing your installation.
How the pieces connect
Section titled “How the pieces connect”RLV Scribe and Qlik Sense Enterprise run on the same Windows Server - this isn’t optional (see Installing RLV Scribe for why). From there:
- Qlik Sense’s Engine service talks to RLV Scribe’s writeback connector locally, over loopback only - never across the network.
- Every browser that opens a Qlik app containing the RLV Scribe extension, or signs in to the admin console, talks to RLV Scribe directly, over the network, on its own address and port.
- RLV Scribe itself talks outbound to your SQL Server database and to Relevance Management’s licensing server.
| Port | Protocol | Purpose | Direction |
|---|---|---|---|
| 7011 | HTTPS | Admin console, RLV Scribe’s API, and every writeback call from a Qlik app user’s browser | Inbound, from wherever your users and administrators connect |
| 3285 (production) / 3286 (development installs) | gRPC, mutual TLS | The SSE connector Qlik Sense Engine uses for writeback expressions | Inbound, loopback (127.0.0.1) only - never reachable from another machine |
| 4242 | HTTPS | Qlik Sense’s own Repository Service (QRS) | Local only - RLV Scribe’s installer uses this once, to upload the extension and register the analytic connection. This is Qlik Sense’s port, not RLV Scribe’s. |
| 5001 | HTTPS | api.relevance.ro - Relevance Management’s licensing server |
Outbound |
| Whatever you configure (commonly 1433 for SQL Server) | SQL Server | Your writeback target database | Outbound - set in Connections, not fixed by RLV Scribe |
Firewall checklist
Section titled “Firewall checklist”Inbound, on the RLV Scribe / Qlik Sense server:
- TCP 7011 - open to wherever your Qlik app users and administrators connect from (often your whole internal network, or wherever your Qlik Sense hub is already reachable from).
- TCP 3285 - only needs a local Windows Firewall allowance, since this connection never crosses the network; the installer reminds you of this if firewall is active.
Outbound, from that same server:
- TCP 5001 to
api.relevance.ro- required for licensing to activate and stay valid. - Your SQL Server’s port - whatever you entered as the connection’s Server Name.
Certificates
Section titled “Certificates”RLV Scribe involves three separate certificates, each for a different purpose - don’t confuse them.
1. The HTTPS certificate on port 7011
Section titled “1. The HTTPS certificate on port 7011”What every browser sees when it opens a Qlik app with the extension, or signs in to the admin console. By default, RLV Scribe looks for a certificate matching the machine’s name in the Windows certificate store; if it doesn’t find one, it self-signs a certificate valid for 5 years, trusted only on this machine.
This is the certificate to replace with a real one before going to production - since it’s
presented directly to every end user’s browser, not just administrators, an untrusted
certificate here shows a security warning to everyone, every time. See Installing RLV Scribe →
HTTPS certificate for how to pin a
real one via appsettings.json.
2. The SSE mutual-TLS certificate pair
Section titled “2. The SSE mutual-TLS certificate pair”Secures the connection between Qlik Sense Engine and RLV Scribe’s writeback connector on port
3285. Lives in the SseCertificates\ folder of the install directory, and is set up
automatically by the installer - there’s nothing to configure by hand.
3. Qlik Sense’s own local repository certificate
Section titled “3. Qlik Sense’s own local repository certificate”Used once, during installation, so RLV Scribe’s setup step can authenticate to Qlik Sense’s
Repository Service (QRS) and upload the extension automatically. This is Qlik Sense’s own
certificate (client.pem / client_key.pem, exported automatically by Qlik Sense itself to
C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates\) - RLV Scribe
reads it but doesn’t manage or replace it.
Licensing
Section titled “Licensing”RLV Scribe validates its license against https://api.relevance.ro:5001 - the same licensing
server KPImailer uses, if you also run that product. This needs:
- Outbound network access from the RLV Scribe server to that address, at install time (for registration) and once a day afterward (for the automatic validity check) - or a configured proxy if this server doesn’t have direct internet access.
- Nothing inbound - all licensing traffic is initiated by RLV Scribe itself.
A lapsed license blocks every writeback call across every connected Qlik app until it’s resolved - see License and activation.